Introduce safer_staticfiles app as user-friendly security measure for #260 (#261)

* Introduce safer_staticfiles app to ignore .py,.html as security measure. Docs up-to-date * [pre-commit.ci] auto fixes from pre-commit.com hooks for more information, see https://pre-commit.ci --------- Co-authored-by: pre-commit-ci[bot] <66853113+pre-commit-ci[bot]@users.noreply.github.com>
2025-09-17 03:15:02 +00:00 · 2023-04-11 13:55:11 +02:00 · 2023-04-11 13:55:11 +02:00 · fa41387a53
commit fa41387a53
parent 2fa8b46936
5 changed files with 59 additions and 7 deletions
--- a/django_components/safer_staticfiles/init.py
+++ b/django_components/safer_staticfiles/init.py
--- a/django_components/safer_staticfiles/apps.py
+++ b/django_components/safer_staticfiles/apps.py
@ -0,0 +1,18 @@
+from django.contrib.staticfiles.apps import StaticFilesConfig
+
+
+class SaferStaticFilesConfig(StaticFilesConfig):
+    """
+    Extend the `ignore_patterns` class attr of StaticFilesConfig to include Python
+    modules and HTML files.
+
+    When this class is registered as an installed app,
+    `$ ./manage.py collectstatic` will ignore .py and .html files,
+    preventing potentially sensitive backend logic from being leaked
+    by the static file server.
+    """
+
+    default = (
+        True  # Ensure that _this_ app is registered, as opposed to parent cls.
+    )
+    ignore_patterns = StaticFilesConfig.ignore_patterns + ["*.py", "*.html"]
--- a/django_components/templatetags/component_tags.py
+++ b/django_components/templatetags/component_tags.py
@ -194,7 +194,7 @@ class SlotNode(Node):
        else:
            fill_node = fill_node_stack.pop()
            nodelist = fill_node.nodelist
-            # context[FILLED_SLOTS_CONTEXT_KEY].pop(self.name)
+
            if fill_node.alias_var is not None:
                aliased_slot_var = UserSlotVar(self, context)
                resolved_alias_name = fill_node.alias_var.resolve(context)